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TRANSGRESSION Charter  “f5

   

Original:
Discover, understand, evaluate, and exploit foreign

CNE/CNA exploits, implants, command & control
and exfiltration.

Moving Forward:

Provide cryptanalytic exploitation support for
Network Defense (NTOC and lAD), 4th Party
SlGlNT (82, NTOC and TAO), and Cyber (TAO,
RA TWHARF) missions.
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- _— MAKERSMARK, RDP Lead
1 CADP, 2 CMP (including DSD Integree), 1 RSE, 2 NIE, 2 STDP
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Major Intrusion Set Efforts

 

MAKERSMARK

Enable WALKERBLACK/RED
exploitation/improve collection

CROWNROYAL, CROWNPRINCE,
SHEPHERD, Zebedee

BYZANTINE HADES

NetDef RDP exploitation

Trojan/beacon deobfuscation

MAVERICK CHURCH PPTP, POPROCKS
VOYEUR (GHOSTRECON

Victim Exfil

SSL Collection
NIGHTTRAIN

Decryption and processing of TAO exfil
and passive collect

SRE of malware
SHADOWDRAGON

RDP and password recovery

FAA password recovery
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RECORDER

Processing and decryption of passive
collect

PLAIDDIANAIINCAADAM
Deobfuscation of passive collect
TWE EZERS

Processing and decryption of passive
collect

SNOWGLOBE

Processing and decryption of passive
collect

WIDOWKEYISUPERDRAKE
Future processing and decryption
Numerous other watchlist intrusion sets

Many one off customer requests — cyber
cryptanalysis support

 

 

Over 50 daily workflows
SIGINT and POLARSTARKEY (NetDef)

Fingerprints and Microplugins

GUI Workflows and Webservice
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XKS Webservice

xksql and xkproc

tfsql and tfproc
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Victim _,

LP _)

"AO Op _)
"UNINGFORK _)
"RANSGRESSION _,
SCISSORS _)
PINWALE and Cloud
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Where does our data
come from?

   

XKEYSCORE
UNINGFORK
AO Direct

N OC Internal

N 00 External
AFOSI/NCIS
FBI
Cyber Command
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What Kinds of Data?
(What is the plaintext)

Command & Control
RDP, RAdmin (heavyweight)
many home-grown (lightweight)
File ransfer
Actor —> Victim (malware)
Victim —> Actor (exfil)

Email
Credentials
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1 - “Commercial”

SSL/TLS
SS:
PGP

PPTP

RDP / RAdmin
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 Wh at Ki n d s of E n c rypti o n ? f  * 
 2 — Other 

Block Ciphers (DES, 3DES)
Stream Ciphers (RC4)

Masking
short or long, fixed or variable

Layered Encryption
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Crypt Examples:  a:
Layered Encryption 

BYZANTINE FOOTHOLD
SSH
Mod DES
WIDOWKEY
8mmeBweXOR
Fixed Key mask
3DES
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Crypt Examples:
Setting Key

Fixed (ADJUTANT VENTURE)

   

From Message Header (RAPTOR ROLEX)

From Packet Headers (RAPTOR JOY/SAD)
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(U/l FO U 0) Wh o to Co ntact? 

   

Email:

Wiki:
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Encodings

   

None (raw binary)
base64
Modified base64 (BYZANTINE RAPTOR)
A permutation of the 64 base64 characters
HTML Character encoding (ADJUTANT VENTURE)
e.g., 0x1278cd = '&#18;&#120;&#205'
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